Lately, I've been playing around with FastNetMon, to wit their community edition on GitHub.

Why the community edition? Well, I'd like to say it's because I'm cheap but that's no excuse since FastNetMon Advanced has a very liberal T&E license.

It has many ways to ingest traffic including PF_RING, Netmap, SnabbSwitch, AF_PACKET, pcap, sflow, and netflow. I've been using AF_PACKET because I don't have a card that is capable of PF_RING (being remedied since AF_PACKET is only good for a single interface).

Enough background though; I spent some time fiddling with it and getting a bit frustrated since it wasn't seeing the traffic I thought it should be seeing. First I ruled out issues with it being blind to .1q encapsulation since I had been mirroring a tagged port. Then I stopped redefining variables in the configuration file (and trimmed it down to the bare necessities for my application). Whew, Success!

Mostly. Couldn't figure out why I could see traffic I pulled with one particular test harness but not with most others. Did a lot of head scratching and running tcpdump (where I saw the traffic just fine).

Finally I found the essential clue, and not on the community edition page but rather on FastNetMon Advanced's site:

FastNetMon Advanced has support for IPv6 protocol. You need to install FastNetMon 2.0.94 version to use features mentioned in this guide.

Gee, I wonder what percentage of my test harness setups are dual stacked (and thus prefer IPv6)... Wess guessed 90% which is about right I reckon.

Forcing the traffic to IPv4 with cUrl did the trick, from the test devices that had previously not been working.

I guess I can't complain about lack of features in the Community Edition and I'll be getting off my butt to get the licensed one in place, but this is something I didn't expect to be missing.